To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\comct\KLClientApp.exe' = '%TEMP%\comct\KLClientApp.exe:*:Enable...
Creates and executes the following:
- '<SYSTEM32>\wscript.exe' "%TEMP%\comct\injector.vbs"
Executes the following:
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Edge DNS" dir=in action=allow program="%TEMP%\comct\KLClientApp.exe"
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\comct\KLClientApp.exe" "Edge DNS" ENABLE
- '%TEMP%\comct\KLClientApp.exe'
- '<SYSTEM32>\taskkill.exe' /F /IM KLClientApp.exe
- '<SYSTEM32>\cmd.exe' /c TASKKILL /F /IM wscript.exe
- '<SYSTEM32>\taskkill.exe' /F /IM wscript.exe
- '<SYSTEM32>\cmd.exe' /c TASKKILL /F /IM KLClientApp.exe
Searches for windows to
detect analytical utilities:
- ClassName: '' WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass' WindowName: ''
- ClassName: '' WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'FilemonClass' WindowName: ''
- ClassName: '' WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: ''